Popular JavaScript library can be hacked to allow attackers into user accounts

• Node-forge cryptography library flaw (CVE-2025-12816) allowed bypass of signature and certificate validation
• CERT-CC warns of risks including authentication bypass and signed data tampering
• Maintainers released version 1.3.2; developers urged to update immediately

A popular JavaScript cryptography library is vulnerable in a way which could allow threat actors to break into user accounts. The library has since been updated, and users are urged to move to the new version as soon as possible.

The bug was found in the ‘node-forge’ package, a popular cryptography tool that provides functions for things like encryption, decryption, hashing, digital signatures, TLS/SSL, and key generation, all without needing native modules.

The bug lets an attacker craft a bogus ASN.1 data structure that tricks the library into skipping cryptographic checks and allowing signature, or certificate validation, to be bypassed. It is tracked as CVE-2025-12816 and is given a severity ...